Comment Two Actual Cases: What worked, what didn't. (Score 2, Interesting) 503
I ran into a similar situation some years back at Carnegie Mellon University. A friend of mine discovered a means of acquiring AFS authentication tokens belonging to other students. (The tokens were not being destroyed properly. The technique involved editing the boot image (vmunix) with emacs.)
This was a significant security hole. Every year, a couple of idiots try to cheat. With the ability to become any other user, well, Pandora's box was wide open.
My friend asked for my advice on how to proceed. Should he contact the administration? I told him, flat out, if he went to the administration, he could expect to have his computer accounts immediately terminated. Without them, he would receive a forced-fail in all his computer science classes. He could also expect to face a "rubber-stamp" academic review board, and either a suspension or outright expulsion from the school.
This is, unfortunately, not idle speculation. Some years earlier, my best friend at CMU (Jeff) had created a subdirectory. Well, several subdirectories, actually. Nested. The professor (Phil) was a complete loon who couldn't code his way out of a paper bag. He decided Jeff's subdirectories had crashed the system. We accessed the logfiles. Jeff didn't have anything to do with that system going down. That didn't stop the termination of all his computer accounts, the forced-fails, or the academic review board and suspension. My one big regret was that Jeff never filed a lawsuit against CMU.
So, getting back to the AFS hole: I'm a member of the local Alpha Phi Omega chapter. At that time, one of our advisors was an upper echelon hacker, an absolute wizard, who was responsible for a large chunk of the actual implementation on the systems involved. I arranged for a private meeting between the three of us. The details were discussed openly and frankly, along with possible solutions. A trivial fix was put into place.
To the best of my knowledge, no one else, and specifically no one in the administration, was ever notified. My friend continued his education uninterrupted, and eventually obtained his degree.
-D.
This was a significant security hole. Every year, a couple of idiots try to cheat. With the ability to become any other user, well, Pandora's box was wide open.
My friend asked for my advice on how to proceed. Should he contact the administration? I told him, flat out, if he went to the administration, he could expect to have his computer accounts immediately terminated. Without them, he would receive a forced-fail in all his computer science classes. He could also expect to face a "rubber-stamp" academic review board, and either a suspension or outright expulsion from the school.
This is, unfortunately, not idle speculation. Some years earlier, my best friend at CMU (Jeff) had created a subdirectory. Well, several subdirectories, actually. Nested. The professor (Phil) was a complete loon who couldn't code his way out of a paper bag. He decided Jeff's subdirectories had crashed the system. We accessed the logfiles. Jeff didn't have anything to do with that system going down. That didn't stop the termination of all his computer accounts, the forced-fails, or the academic review board and suspension. My one big regret was that Jeff never filed a lawsuit against CMU.
So, getting back to the AFS hole: I'm a member of the local Alpha Phi Omega chapter. At that time, one of our advisors was an upper echelon hacker, an absolute wizard, who was responsible for a large chunk of the actual implementation on the systems involved. I arranged for a private meeting between the three of us. The details were discussed openly and frankly, along with possible solutions. A trivial fix was put into place.
To the best of my knowledge, no one else, and specifically no one in the administration, was ever notified. My friend continued his education uninterrupted, and eventually obtained his degree.
-D.
